Greece – New regulatory framework on the protection of persons who report breaches of EU law (whistleblowers)

With Law 4990/2022 (Government Gazette A’ 210/11.11.2022) (hereinafter, the “Law”), the major issue of the protection of the persons who report breaches of Union law is addressed. Specifically, persons who work for a public or private organisation or are in contact with such an organisation in the context of their work-related activities are often the first to know about threats or harm to the public interest which arise in that context.

By reporting breaches of Union law that are harmful to the public interest, such persons act as “whistleblowers” and thereby play a key role in exposing and preventing such breaches and in safeguarding the welfare of society. However, potential whistleblowers are often discouraged from reporting their concerns or suspicions for fear or threat of retaliation. In this context, the importance of providing balanced and effective whistleblower protection is increasingly acknowledged at both Union and international level.

Necessity and Purpose of the Law

The purpose of this Law is the establishment of a unified protection framework for persons reporting breaches of Union law, as well as the transposition of the Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 (L 305).

Moreover, this Law sets out provisions for the following issues:

i) establishment of internal and external reporting system of Union law breaches;

ii) protection of persons that report such breaches;

iii) establishment of a procedure for the submission, acceptance and monitoring of reports as well as

iv) penalties for any breach of the Law.

Basic provisions of the new Law

• Material scope: This Law lays down common minimum standards for the protection of persons reporting the following breaches of Union law:

a.     breaches falling within the scope of the Union acts set out in Part I of the Annex of the Law, that concern the following areas:

i.      public procurement;

ii.     financial services, products and markets, and prevention of money laundering and terrorist financing;

iii.    product safety and compliance;

iv.   transport safety;

v.     protection of the environment;

vi.   radiation protection and nuclear safety;

vii.  food and feed safety, animal health and welfare;

viii. public health;

ix.    consumer protection;

x.     protection of privacy and personal data, and security of network and information systems;

b.     breaches affecting the financial interests of the Union as referred to in Article 325 TFEU;

c.     breaches relating to the internal market, as referred to in Article 26(2) TFEU, including breaches of Union competition and State aid rules, breaches relating to the internal market in relation to acts which breach the rules of corporate tax or to arrangements the purpose of which is to obtain a tax advantage that defeats the object or purpose of the applicable corporate tax law.

The protection of persons who report breaches of the procurement rules involving defense or security aspects, do not fall within the scope of the Law.

• Personal scope: the following persons fall within the protection net of this Law:

I.  a. persons working in the private or public sector who acquired and report   information on breaches in a work-related context and specifically:

• persons having the status of worker, regardless of whether their occupation is full/partial, permanent/temporary, or they work under secondment from another body/authority;
• persons having self-employed status, or consultants or employees working remotely (home workers);
• shareholders and persons belonging to the administrative, management or supervisory body of an undertaking, including non-executive members, as well as volunteers and paid or unpaid trainees;
• any persons working under the supervision and direction of contractors, subcontractors and suppliers.

b. reporting persons where they report or publicly disclose information on  breaches acquired in a work-based relationship which is not in force (has ended/has not started yet).

II. The measures for the protection of reporting persons shall also apply to:

• facilitators;
• third persons - such as colleagues or relatives of the reporting persons - who are connected with the reporting persons and who could suffer retaliation in a work-related context; and
• legal entities that the reporting persons own, work for or are otherwise connected with in a work-related context.
• Conditions for protection of reporting persons: reporting persons shall qualify for protection provided that they had reasonable grounds to believe that the information on breaches reported was true at the time of reporting and that such information fell within the scope of the Law.
• Types of Reporting channels and relevant provisions: the Law provides for the following types of reporting:

1.    Internal Reporting: the oral or written communication of information on breaches towards the Responsible person for the Acceptance and Monitoring of Reporting (“RAMR”) within a legal entity in the private or public sector.

A.   Internal Reporting in public sector:

• The entities in the public sector with fifty (50) or more employees are obliged to designate a RAMR, regarding breaches that fall within the scope of the Law.
• •In entities of the public sector with maximum forty nine (49) employees, the duties of the RAMR are executed by the Integrity Consultant of art. 23 of Law 4795/2021 or the RAMR of the supervising Ministry if an Integrity Consultant has not been designated.

B.    Internal Reporting in private sector:

• The entities in the private sector with fifty (50) or more employees – regardless the nature of their duties, the duration of their occupation within the year – are obliged to designate a RAMR, regarding breaches that fall within the scope of the Law.
• The entities in the private sector with less than fifty (50) employees can designate a RAMR. In case there is no RAMR, the report can be submitted with the National Transparency Authority (“NTA”).
• The entities in the private sector that operate in the sectors of financial services, products and markets, transportation and environment, as well as the entities that operate subject to an approval decision of environmental terms, or whose operations may cause danger for the environment and public health, are obliged to designate a RAMR, regardless the number of their employees.
• The entities in the private sector with fifty (50) to two hundred and forty-nine (249) employees may share resources as regards the receipt of reports.
• The term of the RAMR is at least one (1) calendar year, but it can be terminated earlier on just and proper grounds.
• The RAMR can be an employee of the private sector or a third person.
• The rules for the execution of duties as well as the impediments for the designation of a RAMR are set out in the Law (indicatively, pending criminal prosecution or conviction for felonies and other crimes, disciplinary offense, being suspended etc.).
• The obligation for the designation of a RAMR is substantiated by the Labour Inspectorate, which notifies the NTA for statistic reasons.
• The breach of the obligation for the designation of a RAMR may result in fines being imposed by the Labour Inspectorate or the competent supervising authority.

C.    Procedure for Internal Reporting:

• The internal report is submitted in writing or orally – via telephone or other systems of oral messaging, and via a personal meeting with the RAMR – or via an electronic platform, accessible to persons with disabilities, that is operating on the website of the public or private entity.
• Duties of the RAMR:

                      i.     providing necessary information regarding the possibility of submitting a report within the entity and disclosure of such information in a visible spot;

                     ii.     accepting of the reports;

                   iii.     confirming report’s receipt to the reporting person within seven (7) working days from the day of acceptance;

                   iv.     taking actions so that the competent bodies address the report or terminate the procedure and archive the report if it: a) is unintelligible or b) is submitted abusively or c) does not substantiate a breach or does not include major indications for such a breach. The decision for archiving the report is notified to the reporting person, who may resubmit the report to the NTA;

                     v.     ensuring the protection of confidentiality of the reporting person’s identity, as well as of any third person named in the report;

                   vi.     monitoring the reports and maintaining communication with the reporting person;

                  vii.     informing the reporting person regarding the actions that have been taken within a reasonable term, not exceeding three (3) months from the confirmation of receipt;

                viii.     providing clear and accessible information for the procedures of submitting reports to the NTA and to entities of the public sector or other institutions or organizations of the European Union;

                   ix.     designing and coordinating training sessions regarding ethics and integrity.

2.    External Reporting: the oral or written or via an electronic platform communication of information on breaches towards the NTA, in its capacity as the competent authority for the acceptance/receipt, management and monitoring of reports submitted towards the latter directly.

Procedure for External Reporting:

• The external report is submitted in writing or orally – via telephone or other systems of oral messaging, and via a personal meeting – or via an electronic platform, accessible to persons with disabilities, that is operating on the website of the public or private entity.
• Duties of the NTA:

                   i.     confirmation of report’s receipt to the reporting person within seven (7) working days from the day of acceptance;

                 ii.     prioritization of reports relating to serious breaches/breaches of essential provisions;

                iii.     termination of the procedure and archiving of report if it a) does not include facts that substantiate a breach of the Union law/no major indications of breach are implied/is obviously of little relevance or b) is repeated without any new information;

                iv.     transmission of the report to any competent authorities;

                 v.     monitoring of reports;

                vi.     notifying the reporting person within three (3) to six (6) months (in especially justified occasions);

              vii.     notifying the final result of the investigation to the reporting person;

             viii.     uploading useful information for the procedure for the submission of reports to its website.

3.    Public disclosure: the making of information on breaches available in the public domain (especially in media and websites).

• A person who makes a public disclosure shall qualify for protection if any of the following conditions is fulfilled:

                      i.     the person first reported internally - to the RAMR or the Integrity Consultant - or directly externally to the NTA, but no appropriate action was taken in response to the report within the set timeframe;

                     ii.     the person has reasonable grounds to believe that the breach may constitute danger to the public interest, or there is an emergency situation or a risk of irreversible damage, or in the case of external reporting to the NTA, there is a risk of retaliation or there is a low prospect of the breach being effectively addressed, due to the particular circumstances of the case.

• Duty of confidentiality: the rule of non-disclosure of the identity of the reporting person applies unless there is an explicit consent of that person. By way of exception, the identity of the reporting person may be disclosed only where this is a necessary and proportionate obligation imposed by legislation in the context of investigations by national authorities or judicial proceedings, after a written notification to such person.
• Provisions relating to the lawful processing of personal data are applicable, pursuant to Regulation (EU) 2016/679 and Law 4624/2019.
• The competent authorities should keep records of every report received so that these can be retrievable and in case until the completion of the investigation or judicial procedure.
• Protection measures of reporting persons:

I.      Prohibition of retaliation: any form of retaliation against reporting persons, including threats of retaliation and attempts of retaliation is prohibited, either it comes from the employer or third persons. The Law includes indicative cases of prohibited retaliation actions (suspension, dismissal, withholding of promotion, reduction in wages, change in working hours, negative performance assessment, intimidation, harm, including to the person's reputation etc.).

II.     Measures for protection against retaliation: the liability of the reporting person is lifted, when it relates to the access to information or information acquisition, provided that such acquisition or access do not constitute a criminal offense. Moreover, the liability of the reporting person is lifted for the breach of provisions of criminal, administrative or civil law, that imped its report, if the reporting person had reasonable grounds to believe that its report/public disclosure was essential to reveal the breach. There are also procedural safeguards for the protection of the reporting person until the completion of the report’s investigation.

III.   Measures of support: the reporting persons shall have access to the provisions for legal and psychological support.

IV.  Remedies: the reporting persons are entitled to remedies and full compensation provided for any retaliation, and it is presumed that the damage suffered was a retaliation for the reporting/public disclosure.

• The Law provides for penalties for hindering/attempting to hinder reporting, retaliating against reporting persons as well as breaching the duty of maintaining the confidentiality of the identity of reporting persons.
• Subject to a joint ministerial decision, all the activity code numbers of the entities that will fall within the scope of the Law, will be specified.
• Deadlines for Compliance with the obligation for the establishment of internal reporting channel:

                          i.     Entities in private sector with 50-249 employees: until 17.12.2023 and notification to the Labor Inspectorate/competent supervising authority within two (2) months from compliance.

                        ii.     Entities in private sector with more than 249 employees: within six (6) months from the entry into force of the Law and notification to the Labor Inspectorate/competent supervising authority within two (2) months from compliance.

                       iii.     Entities in public sector: within six (6) months from the entry into force of the Law.

                       iv.     Initiation of ability to submit a report with NTA: decision of NTA’s Director within nine (9) months from the entry into force of the Law.

Conclusions

The effective detection and prevention of Union law breaches that cause serious harm to the free competition and public interest are of outmost importance. Therefore, this Law enhances the building of trust in the effectiveness of the overall system of whistleblower protection with the establishment of a reporting channels system (internal and external). In this way, emphasis is placed on the principle of transparency, the strengthening of which is a crucial pillar of the rule of law and the proper operation of the market.

Moreover, the establishment of an effective protection net for persons who report breaches of Union law is required for the encouragement of such persons, for the purposes of revealing a breach of public interest.  By this Law, these persons are safeguarded not only in the context of an effective protection against retaliation, but also guaranteed in terms of their confidentiality and anonymity.